NY’s Cyber Guidance Could Boost Risk Management for Insurers, Insureds Across U.S.

The Cyber Insurance Risk Framework, launched recently by the New York State Department of Financial Services, is a positive step for both insurers and insureds because it calls on insurers to consider more explicitly how they measure their cyber risk exposures, thereby ensuring appropriate focus on quantification methods to rate insureds and also to manage accumulation of systemic risks, which can be significant.

For insureds, on the other hand, the guidance encourages a framework that rewards them for improving their cyber risk posture. This also acts as another source of feedback insureds can act upon by using the education provided from insurers in an number of areas, including the value of cyber-security measures, to reduce the risk of the insureds suffering from cyber events that might result in harm and disruption to their businesses.

Indeed, the overall impact of the guidance will be to make the insurance market more resilient to cyber risk, while encouraging insureds to adopt better cyber risk management. In other words, insurers in other markets, outside the New York regulatory regime, also could benefit from following the guidance.

“Insurers in other markets, outside the New York regulatory regime, also could benefit from following the guidance..”

This article focuses on these and other positive impacts for insurers and insureds and explains how this action from the NY State DFS will be positive for improving the attitude and competence of both insurers and insurers with respect to their assessment and management of the risk posed by cyber perils.

By doing so, the article aims to highlight what insurers should consider and implement at this stage even if they are not regulated by the NY State DFS, or are not subject to similar regulation from other regulatory authorities.

Board Responsibility

Under the guidance, the insurers’ board is responsible for the overall performance of the business, including governance and risk management of the cyber risk borne by the business. By placing the responsibility for measuring cyber insurance risk on senior management and the board of directors, insurers are compelled to formally consider and document their approach to this requirement.

Cyber exposures are potentially high, given that cyber risk is present in all lines of business – not just affirmative cyber. Also, cyber risk within differing lines of business can cause additional aggregation. As a result, explicit consideration of the approach to this exposure is going to continue to rise in importance as businesses become more digitally connected and technologically reliant.

NY Cyber Insurance Framework in Brief

The New York State Department of Financial Services’ new Cyber Insurance Risk Framework encourages insurers to incorporate the following best practices into their cyber risk strategy:

The board should understand why a cyber risk model from an external vendor is or is not being used and the limitations of the external model if one is being used. Realistically, boards should take into consideration that an unbiased view of risk and the ability to differentiate effectively between risks without using a vendor model is extremely difficult. Further, it is difficult to identify and assess cyber aggregation within affirmative cyber business and across other lines of business without a vendor model. Clear identification of accumulation scenarios is needed and communicating the financial exposure to management and the board is key.

Understanding Systemic Risks

Another issue that is important to consider is a portfolio’s exposure to systemic risks. An insured may not recognize all its own critical dependencies. It also may not understand fully its reliance on third parties. This hampers the ability of insurers in modeling the aggregate impact to its portfolio of a systemic event in a sophisticated manner.

The SolarWinds attack has been an eye-opening experience for many organizations as they scramble to fully understand the extent of the damage and exposure they face. As more information becomes available, analysis on the “target victims” continues to show interesting trends. Elements such as location, industry, and entity size are common qualitative factors taken into consideration when analyzing the impact and likelihood of cyber attacks.

In recognition of this, an open market framework by the name of Cyber Risk Accumulation Zones (CRA Zones) has been developed for cyber risks in the U.S.* This is specifically designed to standardize the measurement of catastrophic cyber risk exposure in three crucial areas: location, industry, and entity size. CRA Zones are designed to make it easier to understand the risk within a portfolio of insureds. (Editor’s note: CRA-Zones were designed by Kovrr during its participation in the fourth cohort of Lloyd’s Lab, the innovation accelerator operated by Lloyd’s of London).

The results of analysis of the SolarWinds attack showed a clear accumulation of companies that belonged to specific CRA-Zones, with criteria matching telecommunications and government entities in the United States and Europe.

Helping Insureds Understand Cyber Threats

The measurement of the aggregation of risks within a portfolio will continue to develop significantly through 2021 and 2022 and this is explored further below.

The NY State DFS framework discusses the important role that insurers perform in educating their insureds about cyber security and reducing the risk of cyber incidents. While this clearly includes the weaknesses that the insurers uncover in their risk assessment of insureds, this can also include threat intelligence. The same threat intelligence can be applied within the portfolio to ensure that the risks being insured do not develop into risks greater than initially expected and thus outside of appetite.

This New York initiative is aiming to reduce the risk of an unexpected shock to the cyber market and encourage insurer appetite in this market, which Munich Re predicts will see $20 billion in gross written premiums by 2025.

Monitoring the Cyber Portfolio

An insurer needs to monitor the development of its portfolio and assess the changes in the risk. The risk can change due to writing more or fewer policies, different insureds, changing cyber risk posture of existing insureds, changing cyber environment, and because model assumptions have been updated. It is much easier to regularly monitor the exposure and the impact of stress tests on the portfolio with a vendor model.

The New York guidance recognizes that while it is important to understand why the model output has changed so that action can be taken, both insurer and vendor models have made significant progress in the past few years. This will be an exciting area of development for model vendors and insurers as the adoption of cyber insurance continues to increase.

Regulatory Push for Better Cyber Risk Management

This initiative and similar initiatives from other regulators continue to make explicit the importance that regulators are placing on cyber and the associated requirements of insurer boards. The overall impact will be to make the insurance market more resilient to cyber risk through improved risk and portfolio management, while incentivizing better cyber risk management for insureds.